Package: openssh Version: 1:6.9p1-1 Severity: normal Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu wily ubuntu-patch
Dear Maintainer, We've received a couple bugs in Ubuntu regarding the lack of support for Linux Audit login event support: https://launchpad.net/bugs/1319278 https://launchpad.net/bugs/1478087 The aulast and aureport tools do not work for sshd logins because openssh is not built with audit support. This means that AUDIT_USER_LOGIN events aren't logged by sshd so the Linux Audit tools do not find login information in the audit log. I've performed a test build of openssh, built with --with-audit=linux, and verified that AUDIT_USER_LOGIN events are correctly logged: type=USER_LOGIN msg=audit(1441160388.221:321): pid=5751 uid=0 auid=1000 ses=11 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.1.8.1 addr=10.1.8.1 terminal=/dev/pts/7 res=success' The aulast tool works as expected using the test openssh build: $ sudo aulast tyhicks pts/7 10.1.8.1 Tue Sep 1 21:19 still logged in I've attached a patch containing the simple changes needed to enable audit support on Linux. Thanks for considering the patch. -- System Information: Debian Release: jessie/sid APT prefers vivid-updates APT policy: (500, 'vivid-updates'), (500, 'vivid-security'), (500, 'vivid') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.0-26-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru openssh-6.9p1/debian/changelog openssh-6.9p1/debian/changelog diff -Nru openssh-6.9p1/debian/control openssh-6.9p1/debian/control --- openssh-6.9p1/debian/control 2015-08-20 04:34:45.000000000 -0500 +++ openssh-6.9p1/debian/control 2015-09-01 21:08:53.000000000 -0500 @@ -2,7 +2,7 @@ Section: net Priority: standard Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> -Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3), libssl-dev (>= 0.9.8g), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 9~), dh-exec, libselinux1-dev [linux-any], libkrb5-dev | heimdal-dev, dpkg-dev (>= 1.16.1~), libck-connector-dev, dh-autoreconf, autotools-dev, dh-systemd (>= 1.4) +Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3), libssl-dev (>= 0.9.8g), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 9~), dh-exec, libselinux1-dev [linux-any], libkrb5-dev | heimdal-dev, dpkg-dev (>= 1.16.1~), libck-connector-dev, dh-autoreconf, autotools-dev, dh-systemd (>= 1.4), libaudit-dev XS-Testsuite: autopkgtest Standards-Version: 3.9.6 Uploaders: Colin Watson <cjwat...@debian.org>, Matthew Vernon <matt...@debian.org> diff -Nru openssh-6.9p1/debian/rules openssh-6.9p1/debian/rules --- openssh-6.9p1/debian/rules 2015-08-20 04:34:45.000000000 -0500 +++ openssh-6.9p1/debian/rules 2015-08-31 17:12:30.000000000 -0500 @@ -91,6 +91,7 @@ confflags += --with-ssl-engine ifeq ($(DEB_HOST_ARCH_OS),linux) confflags += --with-selinux +confflags += --with-audit=linux endif ifeq ($(DISTRIBUTOR),Ubuntu) confflags += --with-consolekit